Earlier today I came across a phishing email that had contained an embedded image which had a malicious link in it. Once it was clicked on, the site automatically redirected to another site which then proceeded to download a JAR file. I tried to deobfuscate the Java code in my VM but did not get anywhere fast. Knowing that this was a RAT of some sort, I shifted gears and decided to run this on my Windows 7 VM.

When executing the malware, the initial process that ran was Java. It was later seen that the Java process also called icalcs, CMD, and Powershell. The following outlines what the Java process was doing.

– javaw.exe –> C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant “everyone”:(OI)(CI)M
++ What this looks to be doing is setting the permissions for the “.oracle_jre_usage” folder to “EVERYONE” also allowing for inheritance from the parent folder and from the container (this folder and subfolders) and allowing for modify permissions.
— javaw.exe –> cmd.exe /c chcp 1252 > NUL & powershell.exe -ExecutionPolicy Bypass -NoExit -NoProfile -Command –
+++ So the CMD is changing the language set of the system to West European Latin and then starting PoSH to get what looks to be IE history.

*** Note: I had not seen a Java RAT spawn a PoSH process in order to do this. Pretty cool trick to say the least and makes complete sense to be honest.

From what i can tell there is no persistence with this malware. So while it is running (the Java process), it is also performing encrypted/encoded network calls to the IP address of 198.199.101.103 via TCP port 80.

Since I was not able to ID what this malware was, I reached out to some other researchers on Twitter. After one of the researchers was able to ID what this was, @James_inthe_box was able to pull some interesting strings from the process via a memory dump (I am assuming here) as seen in the tweet here. At this time I had already stopped the process from running. So I went and downloaded an application for Windows called strings2. I then started the malicious Java file again and let it spawn 3 or 4 threads that were calling out and connecting to the 198.199.101.103 address. I then suspended it and proceeded to dump the strings from the process. Once the log file from this was obtained, I used a strings script that James has been using for a long while now to search for interesting strings.

After looking at the output from this script, I managed to clean the output up some using the following command:

4656692 A *obfuscated/j/t/e/ByteClassLoader$1$1.classuq
4656833 A (obfuscated/j/t/e/ByteClassLoader$1.classuq
4656969 A &obfuscated/j/t/e/ByteClassLoader.classuq
4658009 A 1obfuscated/j/t/e/core/utils/AesStreamCipher.classuq
4658738 A -obfuscated/j/t/e/core/utils/Base64Coder.classuq
4658882 A )obfuscated/j/t/e/core/utils/Context.classuq
4660123 A =obfuscated/j/t/e/core/utils/EncryptedCipherOutputStream.classuq
4660423 A *obfuscated/j/t/e/core/utils/IOHelper.classuq
4661258 A )obfuscated/j/t/e/core/utils/Machine.classuq
4661390 A 7obfuscated/j/t/e/core/utils/NotClosingInputStream.classuq
4661936 A 8obfuscated/j/t/e/core/utils/NotClosingOutputStream.classuq
4662815 A %obfuscated/j/t/e/core/utils/Out.classuq
4663087 A *obfuscated/j/t/e/core/utils/Security.classuq
4663224 A 5obfuscated/j/t/e/core/utils/SessionKeyGenerator.classuq
4664149 A (obfuscated/j/t/e/core/utils/Sha256.classuq
4664971 A obfuscated/j/t/e/Main.classuq
4665085 A .obfuscated/j/t/e/Server$ServerConnection.classuq
4665676 A (obfuscated/j/t/e/Server$ServerInfo.classuq
4666568 A obfuscated/j/t/e/Server.classuq
4667929 A 0xOhJGxalrASCZyFe/easy/race/cow/Cagoule.jpeg1iness.jpgssclass
6182200 A j/t/e/Server$ServerInfo.class
6182231 A j/t/e/Server$ServerInfo.class
6185372 A .class
6223052 A j/t/e/Server$ServerConnection.class
6223089 A j/t/e/Server$ServerConnection.class
6244760 A j/t/e/core/utils/EncryptedCipherInputStream.class
6244811 A j/t/e/core/utils/EncryptedCipherInputStream.class
6267908 A j/t/e/core/utils/EncryptedCipherOutputStream.class
6267960 A j/t/e/core/utils/EncryptedCipherOutputStream.class
6286107 A j/t/e/core/utils/NotClosingInputStream.class
6286153 A j/t/e/core/utils/NotClosingInputStream.class
6312679 A j/t/e/core/utils/SessionKeyGenerator.class
6312723 A j/t/e/core/utils/SessionKeyGenerator.class
6335468 A j/t/e/core/utils/Sha256.class
6335499 A j/t/e/core/utils/Sha256.class
6358170 A j/t/e/core/utils/AesStreamCipher.class
6358210 A j/t/e/core/utils/AesStreamCipher.class
6380092 A j/t/e/core/utils/NotClosingOutputStream.class
6380139 A j/t/e/core/utils/NotClosingOutputStream.class
6402846 A j/t/e/core/utils/Machine.class
6402878 A j/t/e/core/utils/Machine.class
6421895 A j/t/e/core/utils/IOHelper.class
6421928 A j/t/e/core/utils/IOHelper.class
6444510 A j/t/e/credential/softwares/svn/Tortoise.classPK
6444598 A j/t/e/credential/softwares/windows/Credman.classPK
6444650 A j/t/e/MainEx$1.classPK
6444682 A j/t/e/MainEx.classPK
6444849 A j/t/e/core/utils/ByteClassLoaderEx.class
6445010 A j/t/e/core/utils/ByteClassLoaderEx.class
6445219 A j/t/e/core/utils/ByteClassLoaderEx.class
6445335 A j/t/e/core/utils/CryptoUtils.class
6445510 A j/t/e/core/utils/ByteClassLoaderEx.class
6445632 A j/t/e/core/utils/CryptoUtils.class
6445946 A j/t/e/core/utils/ByteClassLoaderEx.class
6446068 A j/t/e/core/utils/CryptoUtils.class
6446224 A j/t/e/core/utils/DES3.class
6446298 A j/t/e/core/utils/FileUtils.class
6446404 A j/t/e/core/utils/DES3.class
6446478 A j/t/e/core/utils/FileUtils.class
6446761 A j/t/e/core/utils/ByteClassLoaderEx.class
6446883 A j/t/e/core/utils/CryptoUtils.class
6447039 A j/t/e/core/utils/DES3.class
6447113 A j/t/e/core/utils/FileUtils.class
6447345 A j/t/e/core/utils/Formatter.class
6447507 A j/t/e/core/utils/IPAddress.classuU
6447716 A j/t/e/core/utils/Formatter.class
6447878 A j/t/e/core/utils/IPAddress.classuU
6448031 A e/utils/ShutdownHook.class
6448206 A j/t/e/core/utils/ByteClassLoaderEx.class
6448328 A j/t/e/core/utils/CryptoUtils.class
6448484 A j/t/e/core/utils/DES3.class
6448558 A j/t/e/core/utils/FileUtils.class
6448790 A j/t/e/core/utils/Formatter.class
6448952 A j/t/e/core/utils/IPAddress.classuU
6449094 A j/t/e/core/utils/ShutdownHook.class
6449263 A j/t/e/core/utils/Sqlite3Manager.class
6449368 A j/t/e/core/utils/Struct.classuUKl
6449542 A j/t/e/credential/config/Constant$1.class
6449614 A j/t/e/credential/config/Constant$2.class
6449695 A j/t/e/credential/config/Constant.class
6449987 A j/t/e/credential/config/winstructure/Advapi32_Credentials.class
6450175 A j/t/e/core/utils/Sqlite3Manager.class
6450280 A j/t/e/core/utils/Struct.classuUKl
6450452 A j/t/e/credential/config/Constant$1.class
6450524 A j/t/e/credential/config/Constant$2.class
6450605 A j/t/e/credential/config/Constant.class
6450897 A j/t/e/credential/config/winstructure/Advapi32_Credentials.class
6450993 A ntial/config/winstructure/Credential$ByReference.class
6451079 A j/t/e/credential/config/winstructure/Credential.class
6451247 A j/t/e/core/utils/ByteClassLoaderEx.class
6451369 A j/t/e/core/utils/CryptoUtils.class
6451525 A j/t/e/core/utils/DES3.class
6451599 A j/t/e/core/utils/FileUtils.class
6451831 A j/t/e/core/utils/Formatter.class
6451993 A j/t/e/core/utils/IPAddress.classuU
6452135 A j/t/e/core/utils/ShutdownHook.class
6452304 A j/t/e/core/utils/Sqlite3Manager.class
6452409 A j/t/e/core/utils/Struct.classuUKl
6452583 A j/t/e/credential/config/Constant$1.class
6452655 A j/t/e/credential/config/Constant$2.class
6452736 A j/t/e/credential/config/Constant.class
6453028 A j/t/e/credential/config/winstructure/Advapi32_Credentials.class
6453111 A j/t/e/credential/config/winstructure/Credential$ByReference.class
6453208 A j/t/e/credential/config/winstructure/Credential.class
6453331 A j/t/e/credential/config/winstructure/CredentialPersistType.class
6453481 A j/t/e/credential/config/winstructure/CredentialType.class
6453630 A j/t/e/credential/config/winstructure/GenericWindowsCredentials.class
6453760 A j/t/e/credential/config/winstructure/WindowsCredentialManager.class
6454018 A j/t/e/credential/softwares/browsers/Browser.class
6454140 A j/t/e/credential/softwares/browsers/ChromiumBased$1.class
6454252 A j/t/e/credential/softwares/browsers/ChromiumBased.class
6454867 A j/t/e/credential/softwares/browsers/IEUrl.class
6454953 A j/t/e/credential/softwares/browsers/IExplorer.class
6455331 A j/t/e/credential/config/winstructure/CredentialPersistType.class
6455481 A j/t/e/credential/config/winstructure/CredentialType.class
6455630 A j/t/e/credential/config/winstructure/GenericWindowsCredentials.class
6455760 A j/t/e/credential/config/winstructure/WindowsCredentialManager.class
6456018 A j/t/e/credential/softwares/browsers/Browser.class
6456140 A j/t/e/credential/softwares/browsers/ChromiumBased$1.class
6456252 A j/t/e/credential/softwares/browsers/ChromiumBased.class
6456894 A s/browsers/IEUrl.class
6456955 A j/t/e/credential/softwares/browsers/IExplorer.class
6457432 A j/t/e/core/utils/ByteClassLoaderEx.class
6457554 A j/t/e/core/utils/CryptoUtils.class
6457710 A j/t/e/core/utils/DES3.class
6457784 A j/t/e/core/utils/FileUtils.class
6458016 A j/t/e/core/utils/Formatter.class
6458178 A j/t/e/core/utils/IPAddress.classuU
6458320 A j/t/e/core/utils/ShutdownHook.class
6458489 A j/t/e/core/utils/Sqlite3Manager.class
6458594 A j/t/e/core/utils/Struct.classuUKl
6458768 A j/t/e/credential/config/Constant$1.class
6458840 A j/t/e/credential/config/Constant$2.class
6458921 A j/t/e/credential/config/Constant.class
6459213 A j/t/e/credential/config/winstructure/Advapi32_Credentials.class
6459296 A j/t/e/credential/config/winstructure/Credential$ByReference.class
6459393 A j/t/e/credential/config/winstructure/Credential.class
6459516 A j/t/e/credential/config/winstructure/CredentialPersistType.class
6459666 A j/t/e/credential/config/winstructure/CredentialType.class
6459815 A j/t/e/credential/config/winstructure/GenericWindowsCredentials.class
6459945 A j/t/e/credential/config/winstructure/WindowsCredentialManager.class
6460203 A j/t/e/credential/softwares/browsers/Browser.class
6460325 A j/t/e/credential/softwares/browsers/ChromiumBased$1.class
6460437 A j/t/e/credential/softwares/browsers/ChromiumBased.class
6461052 A j/t/e/credential/softwares/browsers/IEUrl.class
6461138 A j/t/e/credential/softwares/browsers/IExplorer.class
6461664 A j/t/e/credential/softwares/browsers/MozillaBased.class
6462666 A j/t/e/credential/softwares/browsers/UCBrowser.class
6462825 A j/t/e/credential/softwares/chats/Pidgin.class
6463068 A j/t/e/credential/softwares/databases/PostgreSQL.class
6463227 A j/t/e/credential/softwares/databases/Squirrel.class
6463459 A j/t/e/credential/softwares/mails/Outlook.class
6463810 A j/t/e/credential/softwares/php/Composer.class
6464040 A j/t/e/credential/softwares/Software.class
6464114 A j/t/e/credential/softwares/SoftwareData.class
6464344 A j/t/e/credential/softwares/svn/Tortoise.class
6464604 A j/t/e/credential/softwares/windows/Credman.class
6464862 A j/t/e/MainEx$1.class
6464909 A j/t/e/MainEx.class
6465237 A j/t/e/credential/softwares/browsers/MozillaBased.class
6466231 A j/t/e/credential/softwares/browsers/UCBrowser.class
6466390 A j/t/e/credential/softwares/chats/Pidgin.class
6466633 A j/t/e/credential/softwares/databases/PostgreSQL.class
6466792 A j/t/e/credential/softwares/databases/Squirrel.class
6467024 A j/t/e/credential/softwares/mails/Outlook.class
6467375 A j/t/e/credential/softwares/php/Composer.class
6467597 A j/t/e/credential/softwares/Software.class
6467671 A j/t/e/credential/softwares/SoftwareData.class
6467901 A j/t/e/credential/softwares/svn/Tortoise.class
6468161 A j/t/e/credential/softwares/windows/Credman.class
6468419 A j/t/e/MainEx$1.class
6468466 A j/t/e/MainEx.class
6468846 A j/t/e/core/utils/ByteClassLoaderEx.classPK
6468890 A j/t/e/core/utils/CryptoUtils.classPK
6468928 A j/t/e/core/utils/DES3.classPK
6468959 A j/t/e/core/utils/FileUtils.classPK
6468995 A j/t/e/core/utils/Formatter.classPK
6469031 A j/t/e/core/utils/IPAddress.classPK
6469067 A j/t/e/core/utils/ShutdownHook.classPK
6469113 A /core/utils/Sqlite3Manager.classPK
6469149 A j/t/e/core/utils/Struct.classPK
6469231 A j/t/e/credential/config/Constant$1.classPK
6469275 A j/t/e/credential/config/Constant$2.classPK
6469319 A j/t/e/credential/config/Constant.classPK
6469413 A dential/config/winstructure/Advapi32_Credentials.classPK
6469471 A j/t/e/credential/config/winstructure/Credential$ByReference.classPK
6469540 A j/t/e/credential/config/winstructure/Credential.classPK
6469597 A j/t/e/credential/config/winstructure/CredentialPersistType.classPK
6469672 A j/t/e/credential/config/winstructure/CredentialType.classPK
6469733 A j/t/e/credential/config/winstructure/GenericWindowsCredentials.classPK
6469805 A j/t/e/credential/config/winstructure/WindowsCredentialManager.classPK
6469947 A j/t/e/credential/softwares/browsers/Browser.classPK
6470026 A es/browsers/ChromiumBased$1.classPK
6470063 A j/t/e/credential/softwares/browsers/ChromiumBased.classPK
6470122 A j/t/e/credential/softwares/browsers/IEUrl.classPK
6470173 A j/t/e/credential/softwares/browsers/IExplorer.classPK
6470228 A j/t/e/credential/softwares/browsers/MozillaBased.classPK
6470330 A ser.classPK
6470380 A j/t/e/credential/softwares/chats/Pidgin.classPK
6470470 A j/t/e/credential/softwares/databases/PostgreSQL.classPK
6470527 A j/t/e/credential/softwares/databases/Squirrel.classPK
6470621 A j/t/e/credential/softwares/mails/Outlook.classPK
6470706 A j/t/e/credential/softwares/php/Composer.classPK
6470755 A j/t/e/credential/softwares/Software.classPK
6470800 A j/t/e/credential/softwares/SoftwareData.classPK
6470881 A j/t/e/credential/softwares/svn/Tortoise.classPK
6470969 A j/t/e/credential/softwares/windows/Credman.classPK
6471021 A j/t/e/MainEx$1.classPK
6471053 A j/t/e/MainEx.classPK
6471365 A j/t/e/core/utils/ByteClassLoaderEx.class
6471487 A j/t/e/core/utils/CryptoUtils.class
6471643 A j/t/e/core/utils/DES3.class
6471717 A j/t/e/core/utils/FileUtils.class
6471949 A j/t/e/core/utils/Formatter.class
6472111 A j/t/e/core/utils/IPAddress.classuU
6472253 A j/t/e/core/utils/ShutdownHook.class
6472422 A j/t/e/core/utils/Sqlite3Manager.class
6472527 A j/t/e/core/utils/Struct.classuUKl
6472701 A j/t/e/credential/config/Constant$1.class
6472773 A j/t/e/credential/config/Constant$2.class
6472854 A j/t/e/credential/config/Constant.class
6473146 A j/t/e/credential/config/winstructure/Advapi32_Credentials.class
6473229 A j/t/e/credential/config/winstructure/Credential$ByReference.class
6473326 A j/t/e/credential/config/winstructure/Credential.class
6473449 A j/t/e/credential/config/winstructure/CredentialPersistType.class
6473599 A j/t/e/credential/config/winstructure/CredentialType.class
6473748 A j/t/e/credential/config/winstructure/GenericWindowsCredentials.class
6473878 A j/t/e/credential/config/winstructure/WindowsCredentialManager.class
6474136 A j/t/e/credential/softwares/browsers/Browser.class
6474258 A j/t/e/credential/softwares/browsers/ChromiumBased$1.class
6474370 A j/t/e/credential/softwares/browsers/ChromiumBased.class
6474985 A j/t/e/credential/softwares/browsers/IEUrl.class
6475071 A j/t/e/credential/softwares/browsers/IExplorer.class
6475597 A j/t/e/credential/softwares/browsers/MozillaBased.class
6476599 A j/t/e/credential/softwares/browsers/UCBrowser.class
6476758 A j/t/e/credential/softwares/chats/Pidgin.class
6477001 A j/t/e/credential/softwares/databases/PostgreSQL.class
6477160 A j/t/e/credential/softwares/databases/Squirrel.class
6477392 A j/t/e/credential/softwares/mails/Outlook.class
6477743 A j/t/e/credential/softwares/php/Composer.class
6477973 A j/t/e/credential/softwares/Software.class
6478047 A j/t/e/credential/softwares/SoftwareData.class
6478277 A j/t/e/credential/softwares/svn/Tortoise.class
6478537 A j/t/e/credential/softwares/windows/Credman.class
6478795 A j/t/e/MainEx$1.class
6478842 A j/t/e/MainEx.class
6479221 A j/t/e/core/utils/ByteClassLoaderEx.classPK
6479265 A j/t/e/core/utils/CryptoUtils.classPK
6479303 A j/t/e/core/utils/DES3.classPK
6479334 A j/t/e/core/utils/FileUtils.classPK
6479370 A j/t/e/core/utils/Formatter.classPK
6479406 A j/t/e/core/utils/IPAddress.classPK
6479442 A j/t/e/core/utils/ShutdownHook.classPK
6479481 A j/t/e/core/utils/Sqlite3Manager.classPK
6479522 A j/t/e/core/utils/Struct.classPK
6479604 A j/t/e/credential/config/Constant$1.classPK
6479648 A j/t/e/credential/config/Constant$2.classPK
6479692 A j/t/e/credential/config/Constant.classPK
6479775 A j/t/e/credential/config/winstructure/Advapi32_Credentials.classPK
6479842 A j/t/e/credential/config/winstructure/Credential$ByReference.classPK
6479911 A j/t/e/credential/config/winstructure/Credential.classPK
6479968 A j/t/e/credential/config/winstructure/CredentialPersistType.classPK
6480043 A j/t/e/credential/config/winstructure/CredentialType.classPK
6480104 A j/t/e/credential/config/winstructure/GenericWindowsCredentials.classPK
6480176 A j/t/e/credential/config/winstructure/WindowsCredentialManager.classPK
6480318 A j/t/e/credential/softwares/browsers/Browser.classPK
6480371 A j/t/e/credential/softwares/browsers/ChromiumBased$1.classPK
6480432 A j/t/e/credential/softwares/browsers/ChromiumBased.classPK
6480491 A j/t/e/credential/softwares/browsers/IEUrl.classPK
6480542 A j/t/e/credential/softwares/browsers/IExplorer.classPK
6480597 A j/t/e/credential/softwares/browsers/MozillaBased.classPK
6480655 A j/t/e/credential/softwares/browsers/UCBrowser.classPK
6480747 A j/t/e/credential/softwares/chats/Pidgin.classPK
6480837 A j/t/e/credential/softwares/databases/PostgreSQL.classPK
6480894 A j/t/e/credential/softwares/databases/Squirrel.classPK
6480986 A j/t/e/credential/softwares/mails/Outlook.classPK
6481071 A j/t/e/credential/softwares/php/Composer.classPK
6481120 A j/t/e/credential/softwares/Software.classPK
6481165 A j/t/e/credential/softwares/SoftwareData.classPK
6481249 A j/t/e/credential/softwares/svn/Tortoise.classPK
6481337 A j/t/e/credential/softwares/windows/Credman.classPK
6481389 A j/t/e/MainEx$1.classPK
6481421 A j/t/e/MainEx.classPK
6481588 A j/t/e/core/utils/ByteClassLoaderEx.class
6481710 A j/t/e/core/utils/CryptoUtils.class
6481866 A j/t/e/core/utils/DES3.class
6481940 A j/t/e/core/utils/FileUtils.class
6482172 A j/t/e/core/utils/Formatter.class
6482334 A j/t/e/core/utils/IPAddress.classuU
6482476 A j/t/e/core/utils/ShutdownHook.class
6482645 A j/t/e/core/utils/Sqlite3Manager.class
6482750 A j/t/e/core/utils/Struct.classuUKl
6482924 A j/t/e/credential/config/Constant$1.class
6482996 A j/t/e/credential/config/Constant$2.class
6483077 A j/t/e/credential/config/Constant.class
6483369 A j/t/e/credential/config/winstructure/Advapi32_Credentials.class
6483452 A j/t/e/credential/config/winstructure/Credential$ByReference.class
6483549 A j/t/e/credential/config/winstructure/Credential.class
6483672 A j/t/e/credential/config/winstructure/CredentialPersistType.class
6483822 A j/t/e/credential/config/winstructure/CredentialType.class
6483971 A j/t/e/credential/config/winstructure/GenericWindowsCredentials.class
6484101 A j/t/e/credential/config/winstructure/WindowsCredentialManager.class
6484359 A j/t/e/credential/softwares/browsers/Browser.class
6484481 A j/t/e/credential/softwares/browsers/ChromiumBased$1.class
6484593 A j/t/e/credential/softwares/browsers/ChromiumBased.class
6485208 A j/t/e/credential/softwares/browsers/IEUrl.class
6485294 A j/t/e/credential/softwares/browsers/IExplorer.class
6485820 A j/t/e/credential/softwares/browsers/MozillaBased.class
6486822 A j/t/e/credential/softwares/browsers/UCBrowser.class
6486981 A j/t/e/credential/softwares/chats/Pidgin.class
6487224 A j/t/e/credential/softwares/databases/PostgreSQL.class
6487383 A j/t/e/credential/softwares/databases/Squirrel.class
6487615 A j/t/e/credential/softwares/mails/Outlook.class
6487966 A j/t/e/credential/softwares/php/Composer.class
6488196 A j/t/e/credential/softwares/Software.class
6488270 A j/t/e/credential/softwares/SoftwareData.class
6488500 A j/t/e/credential/softwares/svn/Tortoise.class
6488760 A j/t/e/credential/softwares/windows/Credman.class
6489018 A j/t/e/MainEx$1.class
6489065 A j/t/e/MainEx.class
6489444 A j/t/e/core/utils/ByteClassLoaderEx.classPK
6489488 A j/t/e/core/utils/CryptoUtils.classPK
6489526 A j/t/e/core/utils/DES3.classPK
6489557 A j/t/e/core/utils/FileUtils.classPK
6489593 A j/t/e/core/utils/Formatter.classPK
6489629 A j/t/e/core/utils/IPAddress.classPK
6489665 A j/t/e/core/utils/ShutdownHook.classPK
6489704 A j/t/e/core/utils/Sqlite3Manager.classPK
6489745 A j/t/e/core/utils/Struct.classPK
6489827 A j/t/e/credential/config/Constant$1.classPK
6489871 A j/t/e/credential/config/Constant$2.classPK
6489915 A j/t/e/credential/config/Constant.classPK
6489998 A j/t/e/credential/config/winstructure/Advapi32_Credentials.classPK
6490065 A j/t/e/credential/config/winstructure/Credential$ByReference.classPK
6490134 A j/t/e/credential/config/winstructure/Credential.classPK
6490191 A j/t/e/credential/config/winstructure/CredentialPersistType.classPK
6490266 A j/t/e/credential/config/winstructure/CredentialType.classPK
6490327 A j/t/e/credential/config/winstructure/GenericWindowsCredentials.classPK
6490399 A j/t/e/credential/config/winstructure/WindowsCredentialManager.classPK
6490541 A j/t/e/credential/softwares/browsers/Browser.classPK
6490594 A j/t/e/credential/softwares/browsers/ChromiumBased$1.classPK
6490655 A j/t/e/credential/softwares/browsers/ChromiumBased.classPK
6490714 A j/t/e/credential/softwares/browsers/IEUrl.classPK
6490765 A j/t/e/credential/softwares/browsers/IExplorer.classPK
6490820 A j/t/e/credential/softwares/browsers/MozillaBased.classPK
6490878 A j/t/e/credential/softwares/browsers/UCBrowser.classPK
6490970 A j/t/e/credential/softwares/chats/Pidgin.classPK
6491060 A j/t/e/credential/softwares/databases/PostgreSQL.classPK
6491117 A j/t/e/credential/softwares/databases/Squirrel.classPK
6491209 A j/t/e/credential/softwares/mails/Outlook.classPK
6491294 A j/t/e/credential/softwares/php/Composer.classPK
6491343 A j/t/e/credential/softwares/Software.classPK
6491388 A j/t/e/credential/softwares/SoftwareData.classPK
6491472 A j/t/e/credential/softwares/svn/Tortoise.classPK
6491560 A j/t/e/credential/softwares/windows/Credman.classPK
7013039 A com/profesorfalken/jpowershell/OSDetector.class
7013128 A com/profesorfalken/jpowershell/PowerShell.class
7013760 A com/profesorfalken/jpowershell/PowerShellCodepage.class
7014116 A com/profesorfalken/jpowershell/PowerShellCommandProcessor.class
7014370 A com/profesorfalken/jpowershell/PowerShellConfig.class
7014483 A com/profesorfalken/jpowershell/PowerShellNotAvailableException.class
7014591 A com/profesorfalken/jpowershell/PowerShellResponse.class
7014673 A com/profesorfalken/jpowershell/PowerShellResponseHandler.class
7015330 A com/profesorfalken/jpowershell/OSDetector.classPK
7015381 A com/profesorfalken/jpowershell/PowerShell.classPK
7015432 A com/profesorfalken/jpowershell/PowerShellCodepage.classPK
7015497 A com/profesorfalken/jpowershell/PowerShellCommandProcessor.classPK
7015564 A com/profesorfalken/jpowershell/PowerShellConfig.classPK
7015621 A com/profesorfalken/jpowershell/PowerShellNotAvailableException.classPK
7015693 A com/profesorfalken/jpowershell/PowerShellResponse.classPK
7015759 A com/profesorfalken/jpowershell/PowerShellResponseHandler.classPK
7016912 A org/json/CDL.class
7017113 A org/json/Cookie.class
7017263 A org/json/CookieList.class
7017337 A org/json/HTTP.class
7017546 A org/json/HTTPTokener.classuSMS
7017635 A org/json/JSONArray.class
7018125 A org/json/JSONException.classu
7018208 A org/json/JSONML.class
7018610 A org/json/JSONObject$1.class;
7018682 A org/json/JSONObject$Null.classuQMO
7018775 A org/json/JSONObject.class
7019927 A org/json/JSONString.class;
7019976 A org/json/JSONStringer.classm
7020038 A org/json/JSONTokener.class
7020306 A org/json/JSONWriter.class
7020499 A org/json/Property.classu
7020602 A org/json/XML.class
7020962 A org/json/XMLTokener.class
7021531 A org/json/CDL.classPK
7021553 A org/json/Cookie.classPK
7021584 A org/json/CookieList.classPK
7021613 A org/json/HTTP.classPK
7021636 A org/json/HTTPTokener.classPK
7021666 A org/json/JSONArray.classPK
7021700 A org/json/JSONException.classPK
7021732 A org/json/JSONML.classPK
7021763 A org/json/JSONObject$1.classPK
7021794 A org/json/JSONObject$Null.classPK
7021828 A org/json/JSONObject.classPK
7021863 A org/json/JSONString.classPK
7021898 A org/json/JSONStringer.classPK
7021935 A org/json/JSONTokener.classPK
7021971 A org/json/JSONWriter.classPK
7022006 A org/json/Property.classPK
7022033 A org/json/XML.classPK
7022055 A org/json/XMLTokener.classPK
7022197 A j/t/e/core/utils/ByteClassLoaderEx.class
7022319 A j/t/e/core/utils/CryptoUtils.class
7022475 A j/t/e/core/utils/DES3.class
7022549 A j/t/e/core/utils/FileUtils.class
7022781 A j/t/e/core/utils/Formatter.class
7022943 A j/t/e/core/utils/IPAddress.classuU
7023085 A j/t/e/core/utils/ShutdownHook.class
7023254 A j/t/e/core/utils/Sqlite3Manager.class
7023359 A j/t/e/core/utils/Struct.classuUKl
7023533 A j/t/e/credential/config/Constant$1.class
7023605 A j/t/e/credential/config/Constant$2.class
7023686 A j/t/e/credential/config/Constant.class
7023978 A j/t/e/credential/config/winstructure/Advapi32_Credentials.class
7024061 A j/t/e/credential/config/winstructure/Credential$ByReference.class
7024158 A j/t/e/credential/config/winstructure/Credential.class
7024281 A j/t/e/credential/config/winstructure/CredentialPersistType.class
7024431 A j/t/e/credential/config/winstructure/CredentialType.class
7024580 A j/t/e/credential/config/winstructure/GenericWindowsCredentials.class
7024710 A j/t/e/credential/config/winstructure/WindowsCredentialManager.class
7024968 A j/t/e/credential/softwares/browsers/Browser.class
7025090 A j/t/e/credential/softwares/browsers/ChromiumBased$1.class
7025202 A j/t/e/credential/softwares/browsers/ChromiumBased.class
7025817 A j/t/e/credential/softwares/browsers/IEUrl.class
7025903 A j/t/e/credential/softwares/browsers/IExplorer.class
7026429 A j/t/e/credential/softwares/browsers/MozillaBased.class
7027431 A j/t/e/credential/softwares/browsers/UCBrowser.class
7027590 A j/t/e/credential/softwares/chats/Pidgin.class
7027833 A j/t/e/credential/softwares/databases/PostgreSQL.class
7027992 A j/t/e/credential/softwares/databases/Squirrel.class
7028224 A j/t/e/credential/softwares/mails/Outlook.class
7028575 A j/t/e/credential/softwares/php/Composer.class
7028805 A j/t/e/credential/softwares/Software.class
7028879 A j/t/e/credential/softwares/SoftwareData.class
7029109 A j/t/e/credential/softwares/svn/Tortoise.class
7029369 A j/t/e/credential/softwares/windows/Credman.class
7029627 A j/t/e/MainEx$1.class
7029674 A j/t/e/MainEx.class
7030053 A j/t/e/core/utils/ByteClassLoaderEx.classPK
7030097 A j/t/e/core/utils/CryptoUtils.classPK
7030135 A j/t/e/core/utils/DES3.classPK
7030166 A j/t/e/core/utils/FileUtils.classPK
7030202 A j/t/e/core/utils/Formatter.classPK
7030238 A j/t/e/core/utils/IPAddress.classPK
7030274 A j/t/e/core/utils/ShutdownHook.classPK
7030313 A j/t/e/core/utils/Sqlite3Manager.classPK
7030354 A j/t/e/core/utils/Struct.classPK
7030436 A j/t/e/credential/config/Constant$1.classPK
7030480 A j/t/e/credential/config/Constant$2.classPK
7030524 A j/t/e/credential/config/Constant.classPK
7030607 A j/t/e/credential/config/winstructure/Advapi32_Credentials.classPK
7030674 A j/t/e/credential/config/winstructure/Credential$ByReference.classPK
7030743 A j/t/e/credential/config/winstructure/Credential.classPK
7030800 A j/t/e/credential/config/winstructure/CredentialPersistType.classPK
7030875 A j/t/e/credential/config/winstructure/CredentialType.classPK
7030936 A j/t/e/credential/config/winstructure/GenericWindowsCredentials.classPK
7031008 A j/t/e/credential/config/winstructure/WindowsCredentialManager.classPK
7031150 A j/t/e/credential/softwares/browsers/Browser.classPK
7031203 A j/t/e/credential/softwares/browsers/ChromiumBased$1.classPK
7031264 A j/t/e/credential/softwares/browsers/ChromiumBased.classPK
7031323 A j/t/e/credential/softwares/browsers/IEUrl.classPK
7031374 A j/t/e/credential/softwares/browsers/IExplorer.classPK
7031429 A j/t/e/credential/softwares/browsers/MozillaBased.classPK
7031487 A j/t/e/credential/softwares/browsers/UCBrowser.classPK
7031579 A j/t/e/credential/softwares/chats/Pidgin.classPK
7031669 A j/t/e/credential/softwares/databases/PostgreSQL.classPK
7031726 A j/t/e/credential/softwares/databases/Squirrel.classPK
7031818 A j/t/e/credential/softwares/mails/Outlook.classPK
7031903 A j/t/e/credential/softwares/php/Composer.classPK
7031952 A j/t/e/credential/softwares/Software.classPK
7031997 A j/t/e/credential/softwares/SoftwareData.classPK
7032081 A j/t/e/credential/softwares/svn/Tortoise.classPK
7032169 A j/t/e/credential/softwares/windows/Credman.classPK
7032221 A j/t/e/MainEx$1.classPK
7032253 A j/t/e/MainEx.classPK
7044446 A Main class

With this information we can see what the RAT was trying to look for and obtain. The artifacts from this infection can be found below in one of my Githib repos.